Coinhive: Innovative but Abused

25 September 2017

Cryptocurrencies are fast becoming, if not already, a massive investment tool that is rewriting the rules as to what the currency currently in your wallet can be. With innovation often comes teething problems, these in themselves are not a worry. What is a worry is how malware authors are exploiting innovative ideas for short-term gain. This is hardly new and seems to be an information age constant in that if a tool or idea can be abused to swindle and extort it shall. This maxim is probably not even an information age phenomenon but one that pervades human history.

Coinhive appears to have started its life fairly innocently. As a tool Coinhive could be used by website owners to generate extra income rather than utilizing ad banners. It is essentially a java library that can be added to the website which when visited by a visitor Coinhive will use a percentage of the visitors CPU to mine Monero. Once the visitor is no longer on the page Coinhive will stop mining using the visitor’s CPU. The Pirate Bay, the famous or infamous depending on which side of the piracy fence you sit, began trailing Coinhive rather than having ad banners on their torrent website. Users were notified about the trial and its implications but were soon dropped by The Pirate Bay due to negative user feedback.

Despite the negative user feedback experienced by the Pirate Bay, the creators of Coinhive developed an innovative piece of code which is forward thinking. Sadly such thinking has already been abused by cybercriminals to mine Monero without the victim’s consent. This is another chapter in the rise in popularity in what is termed by researchers as “cryptojacking”.

Authors of Safebrowser begin abuse of Coinhive

Users, over 140,000 of them, who use Safebrowser, a chrome extension, noticed that upon opening their browser with the extension installed their CPU usage was driven through the roof. It obviously noted by user’s when they saw a massive performance in drop on their system. This resulted in complaints been made and further research be conducted by third parties. Upon a basic evaluation, it could be easily seen that the author had added the Coinhive java library. In this instance as soon as the user’s browser was opened the add-on would begin mining Monero, unlike the original intent of the creators of Coinhive to only mine once a website was visited and end once the visitor left said website. A clear abuse of Coinhive.

Another instance of abuse can be found in a number of CPU resources hijacked for mining. According to research done by writers at Bleeping Computer, once they began testing the extension it was quite quickly noticed that that the hijacked resources amounted to a massive percentage of the overall performance. Upon opening the extension they discovered that Task Manager froze. Once Task Manager began to operate it reported that the extension was using a massive 60% of the CPU resources available.

Safebrowser is still available for download but with no mention on their website or within the privacy policy of the inclusion of the Coinhive library. In Bleeping Computer’s published article regarding the matter, they reached out to the authors of Safebrowser for a response, to which they responded, “Unfortunately we have no knowledge, apparently has been a hack. I'm currently researching, I have already contacted the Google team. The extension has not received an update for months, so I do not know what it's all about.” Given Safebrowser’s less than spectacular past with abusing extensions if you take this response with a pinch of salt you would be forgiven.

Typosquatted domains and hacked Wordpress sites followed

In another cunning instance, someone registers the domain name twitter.com.com and embedded the Coinhive library onto the website, thus anybody who misspelled the address they were intending to go, in this case, Twitter, would be directed to the above domain and Monero would be mined for the seconds it took to realize their mistake. If the person began to register more domain based on the same idea it is more than possible to generate a tidy profit.

Researchers at Sucuri then discovered that Wordpress website had been hacked to include the Coinhive miner. Not only were Wordpress websites modified to include the miner but Magento websites as well. While the use of crypto jackers may be relatively new the vectors of attack are not. Hackers are still using the tried and tested methods to deliver malicious payloads. This, in turn, means they can be detected even if the change in CPU performance seems unnoticeable. However, in most instances, it will be the obvious drop in performance that will serve as a key indicator in determining if a miner has been deployed on the system.

Not to left out of the cryptocurrency party, one of the biggest maladvertisers has also begun to use Coinhive in additional to their stock adware, according to researchers at TrendLabs. Malicious ads would direct users to bogus tech support websites embedded with the miner which would mine Monero while the user figured out if the website was legitimate or not.

The year of cryptocurrency miners

While still a relatively new method of extorting money, the popularity of employing such methods has risen dramatically. Kaspersky reported that it has seen over 1.65 million computers infected with a miner of one sort or the other. IBM has also reported a spike in miners installed on enterprise networks. So far in 2017, 16 distribution campaigns have been detected spreading cryptocurrency miners. Amazon, CS:GO, and Linux have been some of the prominent names affected by such campaigns. Given the increasing popularity of cryptocurrencies and the almost zero-sum game for hackers wishing to deploy miners, users can expect to see a massive surge in such campaigns.

The following is a list of campaigns for the calendar year so far:

Terror Exploit Kit dropped a Monero miner back in January

Even some Mirai botnet variants tested a cryptocurrency mining function